The Linux Administration group is for the discussion of technical issues technical issues that arise during the administration of Linux systems, including maintaining the operating system and supporting end-user applications.

Daemons to Help Ban Particular IPs After Failed Login Attempts

I am currently trying to find something that would allow me to monitor my log files in Linux for particular strings – like “login failed” – and if that same message has been repeated from the same source IP 5 times, an iptable rule would then allow me to block the IP for 600 second. My first thought was to try creating a cronjo that would grep the files and triggers the iptables rule if it was activated but I was wondering if anyone knows there are daemons or utilities to do this specifically?

Popular White Paper On This Topic

Hi
You can probably use straightforward unix command line and pipeline for
this.
something like
$ tail -F <filename> | grep -i "login failed" | <shell scipt to do what you
want>

The tail part will output anything added to the bottom of the file.
If you are using cycling on the log files, use -F since -f works on file
descriptor and not file name. Simply put, when the log file cycles the
command will terminate.
Then if the text "login failed is found, you can do the iptables update
from a shell script you have created specific to your needs.

Copyright 1998-2015 Ziff Davis, LLC (Toolbox.com). All rights reserved. All product names are trademarks of their respective companies. Toolbox.com is not
affiliated with or endorsed by any company listed at this site.